Posted
by
CmdrTaco
on Thursday February 16, 2006 @03:15PM
from the rolling-in-the-benjamins dept.

An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""

"Hello, ummm, my name is, um, Gil Baites. I would like to submit 45,000 flaws that I suspect will be reported quite soon by Microsoft. However, I do not have any certain knowledge of this event, as I have no connection to the company. Now if you'll excuse me, I must go back to my mansion and to my wife Gelinda. Thank you."

If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist. Well they might issue one out of the goodness of their hearts to encourage an upgrade to X...err Vista, but there will be no official patch.

On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...

Considering the copyright notice on Windows XP is from 1985 to present finding security vulnerabilities [msversus.org] in their old software may not be such a bad idea. At least some of the old code still resides in current versions of Windows. They've never performed a complete rewrite.

If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist.

frankly im quite suprised windows 3.1 was issued critical warnings up until then

Why not? iDefense doesn't just release the vulnerabilities unannounced or sit on them exploiting them for profit, they submit them to Microsoft Security and publish only after a patch has been released. If anything, Microsoft should be happy that somebody is providing independent researchers a financial incentive not to release 0-day vulnerabilities to public lists.

I dunno, what do they get out of being the ones to report the flaw to MS? If I found a critical flaw and reported it directly to MS, would I get paid? I doubt it. So how does iDefense get their money back? An army of spamming/DDOSing zombies for a month or so, and then report it would be my guess. That's if I was prone to paranoia, which I'm not, so stop looking at me like that! There was a look there, don't deny it, I'm onto you!!

Sue them for what? I don't see how this is any different from other vulnerability bounties, or even a more general science bounty. The only way MS could sue someone is if they made NDAs mandatory for those who use Windows. And then, they could only sue the person who "leaked" the information.

This is what Linux companies should be doing. Pay developers that find an exploit in Linux a couple thousand dollars and make sure the hole gets fixed quickly. Obviously then it becomes a race for the companies to have their own employees find and fix the holes before outside developers do the same. Maybe have some lesser (since they're already getting a paycheck) bounty available to their own employees that find the holes and fix them.

As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.

I've heard of similar projects for Linux before but if they still exist I never hear anything about them. It really needs to be a well publized project if such a thing exists - otherwise people won't know about it and contribute.

I've heard of similar projects for Linux before but if they still exist I never hear anything about them. It really needs to be a well publized project if such a thing exists - otherwise people won't know about it and contribute.

A "critical" Windows flaw is one that allows remote exploitation. Find me a Linux distro in the past 3 or 4 years that is remotely exploitable in a default configuration, and *I'll* pay you the bounty.

That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.

Yes but the idea is obviously to encourage the "good guys" to find and report the holes before the "bad guys" find out about them. Most people would not trade security holes for cash on the black market, but they would certainly deliver them to a security company for pay.

It's already been around for a year and a half, according to the dates on this page [idefense.com]. In case you're skeptical of the source, those dates do seem about right - I remember seeing their announcements on the major security lists (it generated a bit of derisive controversy on full disclosure, as I recall), and 2 summers ago sounds about right.

The major difference here is that this is legal and the right thing to do. Selling expliots to scum like that is on the same moral level of skiddies. A lot of hackers have no desire damage innocent people, the rest are lame.

They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!

Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.

"iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities."

Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.

Windows will one step (okay, 87,000 steps) closer to finally being as stable as nitroglycerin. M$ slaves around the world rejoice. *nix users either 1.) laugh at the unwashed masses, 2.) sigh and shake their heads at the primitive savages, or 3.) be too busy being productive to notice.

put down the crackpipe please.Do you have a disease? you think everyone on the internet is talking about you?

Neither the GP nor its sibling post are implying anything about your conduct. Both are making the same point - for some people extortion isn't an option. They're not suggesting YOU engage in extortion.

No possible reading of their posts suggests anything different to me.

Besides, if you can't take a few cheap digs and insinuations without wetting yourself, you shouldn't be here, pinhead.

I asked if they were insinuating something based on the fact anyone with more than 2 braincells already knows it's illegal and immoral, and most people wouldn't do it, the point of my post is people still do.

I didn't wet myself at all mate, you seem to be the one who overreacted.

I normally don't feed trolls but I am in the mood today.....
Get off your high horse Klootzak. You are the one over reacting. You need to pay attention and engage mind before mouth/typing. Consider yourself shot down and corrected. You totally misread the post and are out of line. weierstrass made a valid point and corrected you. You decided to take it wrong. Way wrong. I have a feeling you think you are always right and argue a lot. I am going to say your male. Late 20's. Single. I could go on and on abou

/*
Yet someone else who is assuming I'm extorting companies?
I said in the above, I SEE this as part of my job, I don't DO it?
You guys love your conclusion-jumping don't you? */

uhh.... seriously, no more espresso. I didn't accuse you of anything, I said that the thing you are DESCRIBING is extortion. Now, you can gather whatever info you want from the above comment, and re-think your response.

My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?

OK, in the root of this thread, in the subject line, you say that more incentive is required to make this offer worthwhile. My reply and the GP state that there is, in fact, a possibility that there are security researchers who would rather have bugs fixed and get a smaller reward than risk prison time for a larger purse that may end up being nothing. This may be

Make more money just working in "white-hat" security consulting if you are good enough to find exploits though, any company involved in asset-management or even just high-volume b2b transactions craves those skills (for obvious reasons).

If iDefense (Verisign) can come up with $10K per critical Microsoft Windows flaw, why can't HP (or any other party interested in a secure environment) come up with money to support the development of applications for their own, very secure operating system: HP OpenVMS [hp.com]? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?

support the development of applications for their own, very secure operating system: HP OpenVMS? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?

Maybe the question you should be asking is: Why does everyone USE windows instead of HP OpenVMS? And the answer is usually, because being able to use it is primary and being able to use it securely is secondary. Most people can't just pick up an OpenVMS server and use it in 5 minutes--ok so most can't pick it up at a

If that were true, then why bother with OS X, BSD, SCO:-), AIX, Linux, QNX, or any other software product not from Microsoft? Besides, my granny is heating her snuggery with an HP Integrity Superdome Server [hp.com].

Well, sure you're going to see all of those as newsworthy, but most of the news is focused on the biggest market--actually I think Windows gets less coverage than its market share would dictate by itself (thank God).

At work, the only HP server we have is running Exchange with windows.. I wouldn't trust granny with that much power.

Umm... what's to stop iDefense from sitting on the details of the flaw?
They say the submission must be exclusive and to get the cash Microsoft must issue a critical advisory. If iDefense does whatever they want with it and doesn't tell Microsoft, doesn't that mean Microsoft can't issue an advisory on a flaw they don't know about and iDefense doesn't have to give the submitter jack?
Yeah, I admit it's far-fetched but I'd be reading the fine print to say the least.

If I discover an obscure remotely exploitable security flaw in a Microsoft beta product (thus, unlikely to lead to a "critical" advisory,) why should I not sit on it until a few months after release and get paid?

Bugs are worth more on the black market. Blackhats do not release their bugs to $VENDOR, that puts a stop to their money making by droping adware, keyloggers, and trojans on poor unsuspecting Joe Average User. No matter how large the bounty is, no matter how appealing the company tries to make it, it will only attract white hats, and some greyhats.The best exploits stay underground for an extremely long time until a whitehat catches a blackhat doing something careless (like not deleting their exploit they

That article is sez that Vista is too secure, and that the British govt wants a back door....
The Russian mafia are going pay haxors big bucks for a back door if they find one (like the recently found WMF exploit - which some claim is a purposely put in 0 day exploit). I cant believe a Governments would push for this type of exploit, as they really just fuel the spy-ware and hacking economy!

If the British govt get their way, Vista WILL have exploits, so its just a

Maybe crackers can sell their exploits to the highest bidder with the 10 Grand to I Defense being the reserve price.With all of the programmers out of jobs due to outsourcing, this is a way for American workers to compete on a level playing field.

Do the world a great service by finding windows bugs and then take it up the ass for 15 years when Shyster H. Lawyer decides to prosecute under the dmca because you took apart some binaries. Don't agree? Why do you think symantec and friends didn't want to mess with the BMG fiasco? Same reason. Microsoft made this mess, let them straighten it out.

I could disconnect from the net and be safe forever too. I wonder if I'll get a $50K reward for issuing that particular advisory? I see it now... "Your computer is connected to the Net. We recommend ripping your modem, network card, and wireless networking devices to ensure your PCs safety."

(a) There is no telling how many remain. Windows may be getting close to "tight" in terms of remote exploitability, or it may still have several gaping holes. RPC-based exploits (the "real" dangerous ones) seem to have been closed for a while. It's mostly overflows and breakouts now, and mostly on user-initiated processes. [User-initiated processes don't spread like wildfire inside of corporate networks, like RPC-type flaws. Dangerous, but not panic-level stuff...](b) People pay for these exploits beca

Wow - And people complain that I make little sense sometimes. I mean, seriously - if you write a program computed the distance between two objects, and later on used that distance to get out of style, it just has suited up.

That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.

Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.

Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!

Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, [...]

This is solely an application problem. It has _nothing_ to do with Windows.

[...] and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement.

It's always had the functionality.

Windows developers have been encouraged for years to write programs dependant on

Encouraged how ? What Microsoft documentation can you provide showing that developers have been told to write applications dependant on Administrator level access ? How do you reconcile this claim with the requirement of the "Made for Windows XP" logo that applications must run in a normal user account ?

They encouraged it prior to the release of XP. Then they released XP, and changed the way programs are supposed to perform OS operations. Ok, that was a good step. But you can't expect millions of program

They encouraged it prior to the release of XP. Then they released XP, and changed the way programs are supposed to perform OS operations.

How ? Give some specific examples.

Ok, that was a good step. But you can't expect millions of programs out there to be re-written to do it the new way. Even though they have now changed the way they recommend programs be written for their OS, their previous stance still has repurcussions in the current state of windows software.

Developers have had no excuse not to be writing LUA-friendly applications since about 1998. That's when every shipping version of Windows had support for per-user profiles and registries.

That was support for multiple users was added. But when did MS start saying that programs should be developed so they can work in a non-root setting? From the development perspective, "LUA-friendly" is just another feature. If you don't need it, you don't use it. You just keep doing things the way you usually do. It's no